Release |
1.0 |
Date |
12/12/2003 |
The following document describes the states a PID account can have in the Enterprise Directory system.
It also explains whether a person can authenticate while in those states and how an account may transition from state to state.
An account's password's state is separate from the general state of the account.
A password may only be in one of two states, active or expired.
An active password can be used for authentication; an expired password may not.
While some general account transitions may affect a user's password state, as noted below, it may also be changed independently of such transitions.
h3 Account States and Visibility
Account states have no effect on whether a person is, or is not, visible in tools such as PeopleSearch and systems like ED-Lite
*No PID* |
Represents a person that has information in the registry but does not have a PID. |
*Active* |
Represents the normal state of a person's account. An account in this state should have access to all services it is authorized to use. |
*Locked* |
Represents a person's account that has been temporarily disabled. In this state a person may no longer access any services they are normally authorized to use. Individual systems should disable the account, but should not change the authorization privileges a user has. No authentication is possible while in this state. |
*Shelved* |
Represents a person's account that is no longer authorized to use any VT services. Individual systems should remove any privileges a user has on that system if the PID is in this state. No authentication is possible while in this state. |
*To Be Deleted* |
Represents an account that has been deleted, for all intents and purposes, but for which all services have not yet actually performed all the clean up processes necessary to totally remove the account. No authentication is possible while in this state. |
One of the following things could effect this transition:
Administrative staff or processes may effect this transition, usually due to account abuse or a person's disassociation with the university.
An example process that may lock an account is a process that detects password cracking attempts.
Administrative staff or processes may effect this transition.
The PID will not need to be re-authorized to services.
The most common cause for this transition will be administrative processes due to inactivity or internal system events (such as the separation of an employee from the university). Administrative staff may also move an account into this state.
During this transition the password should be set to an expired state.
This transition occurs most often when manually done by administrative staff but could also be the result of a process, for example one that detects a person has become eligible for a PID again.
The PID will also need to be re-authorized for any services it should have access to and its password will need to be reset.
The most common cause for this transition will be administrative processes due to inactivity or internal system events (such as the separation of an employee from the university). Administrative staff may also move an account into this state.
During this transition the password should be set to an expired state.
This transition can be caused either by administrative staff wishing to immediately release a PID or by administrative processes.
This transition occurs after all services have been told to delete the PID’s accounts on those systems. The password is destroyed, irrevocably, at this point.